QuantumVault Documentation

Enterprise-grade post-quantum cryptography platform providing NIST-certified algorithms for quantum-resistant encryption, digital signatures, and secure key management.

🛡️

Quantum-Safe

Protected against both classical and quantum computer attacks

🏆

NIST Certified

FIPS 203, 204, 205 compliant algorithms

⚡

High Performance

Sub-50ms latency for all cryptographic operations

Why Post-Quantum Cryptography?

Quantum computers pose an existential threat to current cryptographic systems. RSA, ECC, and other widely-used algorithms can be broken by Shor's algorithm running on a sufficiently powerful quantum computer. The NSA and NIST have mandated a transition to quantum-resistant cryptography by 2035, with critical systems required to migrate by 2030.

Harvest Now, Decrypt Later (HNDL) Threat

Adversaries are already collecting encrypted data today with plans to decrypt it once quantum computers become available. Data with long-term sensitivity must be protected with quantum-resistant cryptography now.

Supported Algorithms

Algorithm	Type	Security Level	NIST Standard	Min. Tier
ML-KEM-512	Encryption	Level 1	FIPS 203	Professional
ML-KEM-768	Encryption	Level 3	FIPS 203	Community
ML-KEM-1024	Encryption	Level 5	FIPS 203	Professional
ML-DSA-44	Signature	Level 2	FIPS 204	Professional
ML-DSA-65	Signature	Level 3	FIPS 204	Professional
ML-DSA-87	Signature	Level 5	FIPS 204	Professional
SLH-DSA-SHAKE-128s	Signature	Level 1	FIPS 205	Professional
SLH-DSA-SHAKE-256f	Signature	Level 5	FIPS 205	Professional

Pricing Tiers

Free Forever

Community

$0 /month

1,000 operations/month

ML-KEM-768 encryption
Single API key
Community support

Quick Start Guide

Get up and running with QuantumVault in under 5 minutes. This guide covers API key generation, your first encryption operation, and basic key management.

Step 1: Get Your API Key

After signing up at quantumvault.allsecurex.com, your API key is automatically generated. You can view it in the API Keys section of your dashboard.

Keep Your API Key Secure

Your API key provides full access to cryptographic operations. Never expose it in client-side code, public repositories, or logs.

Step 2: Generate a Key Pair

cURL

curl -X POST https://api.quantumvault.allsecurex.com/keygen \
  -H "Content-Type: application/json" \
  -H "X-API-Key: qv_your_api_key_here" \
  -d '{
    "algorithm": "ML-KEM-768",
    "security_level": 3,
    "name": "my-first-key"
  }'

Step 3: Encrypt Data

cURL

# First, base64 encode your plaintext
PLAINTEXT=$(echo -n "Hello, Quantum World!" | base64)

curl -X POST https://api.quantumvault.allsecurex.com/encrypt \
  -H "Content-Type: application/json" \
  -H "X-API-Key: qv_your_api_key_here" \
  -d '{
    "algorithm": "ML-KEM-768",
    "public_key": "<public_key_from_keygen>",
    "plaintext": "'$PLAINTEXT'"
  }'

Step 4: Decrypt Data

cURL

curl -X POST https://api.quantumvault.allsecurex.com/decrypt \
  -H "Content-Type: application/json" \
  -H "X-API-Key: qv_your_api_key_here" \
  -d '{
    "algorithm": "ML-KEM-768",
    "secret_key": "<secret_key_from_keygen>",
    "encrypted_data": "<encrypted_data_from_encrypt>"
  }'

# Response plaintext is base64 encoded - decode it:
# echo "<plaintext>" | base64 -d

You're Ready!

You've successfully performed your first quantum-safe encryption and decryption. Explore the full API documentation to learn about digital signatures, key management, and advanced features.

Authentication

QuantumVault uses API key authentication for all cryptographic operations. Each request must include a valid API key in the X-API-Key header.

API Key Format

API keys follow the format qv_ followed by 32 cryptographically random characters.

                            Request Header
                        
X-API-Key: qv_k7x9mN2pQ4rS6tU8vW0yA3bC5dE7fG9h

Security Best Practices

Store API keys in environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault)
Never commit API keys to version control
Use different API keys for development, staging, and production environments
Rotate API keys every 90 days
Monitor usage for anomalies in the dashboard
Revoke compromised keys immediately

Rate Limits

Tier	Requests/Minute	Burst Limit	Monthly Operations
Community	60	100	1,000
Professional	600	1,000	100,000
Enterprise	6,000	10,000	Unlimited

Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset

SDKs & Integration

QuantumVault provides official SDKs for Node.js, Python, Go, and Java. These SDKs offer drop-in quantum-safe cryptography with zero code changes required for your existing applications.

Zero Code Changes Required

Our Node.js and Python SDKs automatically intercept and upgrade classical cryptographic operations to quantum-safe equivalents. Simply install the package and configure it at startup - your existing code works unchanged!

Available SDKs

📦

Node.js

@allsecurex-quantum/crypto-shim

npm install @allsecurex-quantum/crypto-shim

🐍

Python

quantumvault-cryptography

pip install quantumvault-cryptography

🔷

Go

github.com/AllSecureX-Quantum/quantumvault-go

go get github.com/AllSecureX-Quantum/quantumvault-go

☕

Java

io.quantumvault:quantumvault-crypto

Maven Central

Node.js SDK

@allsecurex-quantum/crypto-shim

Drop-in quantum-safe upgrade for Node.js applications. Zero code changes required - automatically upgrades RSA, ECDSA, and ECDH operations to ML-KEM and ML-DSA hybrids.

Installation

npm

npm install @allsecurex-quantum/crypto-shim

Quick Start

app.js (entry point)

// IMPORTANT: This must be the VERY FIRST line of your application
require('@allsecurex-quantum/crypto-shim').install({
  apiKey: process.env.QUANTUMVAULT_API_KEY,
  mode: 'hybrid', // 'monitor' | 'hybrid' | 'pq_only'
  logging: {
    enabled: true,
    level: 'info'
  }
});

// Now use crypto as normal - it's quantum-safe!
const crypto = require('crypto');

// Your existing code works unchanged!
// RSA signatures → automatically upgraded to ML-DSA-65 hybrid
const sign = crypto.createSign('RSA-SHA256');
sign.update('data to sign');
const signature = sign.sign(privateKey);

// ECDH key exchange → automatically upgraded to ML-KEM-768 hybrid
const ecdh = crypto.createECDH('prime256v1');
const publicKey = ecdh.generateKeys();

Python SDK

quantumvault-cryptography

Drop-in quantum-safe upgrade for Python applications. Works with existing cryptography library usage - all crypto operations are upgraded transparently.

Installation

pip

pip install quantumvault-cryptography

Quick Start

app.py (entry point)

# IMPORTANT: Must be called BEFORE importing cryptography
import os
import quantumvault_cryptography

quantumvault_cryptography.install(
    api_key=os.environ['QUANTUMVAULT_API_KEY'],
    mode='hybrid'  # 'monitor' | 'hybrid' | 'pq_only'
)

# Now import and use cryptography as normal
from cryptography.hazmat.primitives.asymmetric import rsa, ec

# Your existing code works unchanged!
# RSA key generation → automatically includes ML-KEM-768
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048
)

# ECDSA signing → automatically includes ML-DSA hybrid
ec_key = ec.generate_private_key(ec.SECP256R1())

Go SDK

github.com/AllSecureX-Quantum/quantumvault-go

Native post-quantum cryptography SDK for Go. Implements ML-KEM (FIPS 203) and ML-DSA (FIPS 204) with full support for Go's crypto.Signer interface.

Installation

go get

go get github.com/AllSecureX-Quantum/quantumvault-go

ML-KEM Key Encapsulation (FIPS 203)

Go

package main

import (
    "fmt"
    qv "github.com/AllSecureX-Quantum/quantumvault-go"
)

func main() {
    // Security levels: MLKEM512, MLKEM768 (recommended), MLKEM1024
    pub, priv, err := qv.GenerateMLKEMKeyPair(qv.MLKEM768)
    if err != nil {
        panic(err)
    }

    // Encapsulate - generates ciphertext and shared secret
    ciphertext, sharedSecret1, err := qv.Encapsulate(pub)
    if err != nil {
        panic(err)
    }

    // Decapsulate - recovers the same shared secret
    sharedSecret2, err := qv.Decapsulate(priv, ciphertext)
    if err != nil {
        panic(err)
    }

    fmt.Printf("Shared secrets match: %v\n",
        string(sharedSecret1) == string(sharedSecret2))
}

ML-KEM (Key Encapsulation)

NIST FIPS 203 | Formerly CRYSTALS-Kyber

ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is NIST's primary post-quantum encryption standard. It provides secure key exchange resistant to quantum computer attacks while maintaining excellent performance.

Available Parameter Sets

Algorithm	Security Level	Public Key	Secret Key	Ciphertext	Recommended Use
ML-KEM-512	Level 1 (AES-128)	800 bytes	1,632 bytes	768 bytes	IoT, edge devices
ML-KEM-768	Level 3 (AES-192)	1,184 bytes	2,400 bytes	1,088 bytes	General purpose (default)
ML-KEM-1024	Level 5 (AES-256)	1,568 bytes	3,168 bytes	1,568 bytes	High security, CNSA 2.0

Recommendation

ML-KEM-768 is recommended for most applications. It provides 192-bit classical security equivalent, excellent performance, and is the default in QuantumVault.

ML-DSA (Digital Signatures)

NIST FIPS 204 | Formerly CRYSTALS-Dilithium

ML-DSA (Module-Lattice-Based Digital Signature Algorithm) is NIST's primary post-quantum digital signature standard. It enables quantum-resistant authentication, non-repudiation, and data integrity verification.

Available Parameter Sets

Algorithm	Security Level	Public Key	Secret Key	Signature	Operations/sec
ML-DSA-44	Level 2 (AES-128)	1,312 bytes	2,560 bytes	2,420 bytes	~7,000
ML-DSA-65	Level 3 (AES-192)	1,952 bytes	4,032 bytes	3,293 bytes	~4,000
ML-DSA-87	Level 5 (AES-256)	2,592 bytes	4,896 bytes	4,595 bytes	~2,500

Use Cases

Code Signing - Verify software authenticity and integrity
Document Signing - Legal contracts, certificates, compliance documents
API Authentication - Request signing for API security
Blockchain - Quantum-resistant transaction signatures
PKI Certificates - X.509 certificate signatures

Key Generation

Generate quantum-safe cryptographic key pairs for encryption (ML-KEM) or digital signatures (ML-DSA, SLH-DSA).

POST /keygen Generate a new key pair

Request Body

Parameter	Type	Required	Description
algorithm	string	Yes	ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, ML-DSA-87
security_level	integer	Yes	1, 3, or 5 (must match algorithm)
name	string	No	Human-readable name for the key
description	string	No	Description or notes

Example Request

cURL

curl -X POST https://api.quantumvault.allsecurex.com/keygen \
  -H "Content-Type: application/json" \
  -H "X-API-Key: qv_your_api_key" \
  -d '{
    "algorithm": "ML-KEM-768",
    "security_level": 3,
    "name": "production-encryption-key",
    "description": "Primary encryption key for customer data"
  }'

Response

                                    200 OK
                                

{
  "key_id": "qv_key_7f3e8c2a-b1d4-4e5f-9a6c-8d7e2f1b3a4c",
  "name": "production-encryption-key",
  "algorithm": "ML-KEM-768",
  "security_level": 3,
  "public_key": "MIIBojANBgkqhki...base64_encoded...",
  "secret_key": "MIIEvgIBADANBgk...base64_encoded...",
  "stored": true,
  "created_at": "2025-01-26T10:30:00.000Z"
}
                                

Store Secret Keys Securely

The secret key is only returned once during generation. Store it immediately in a secure location (AWS Secrets Manager, HashiCorp Vault, HSM). If lost, you must generate a new key pair.

Encryption

Encrypt data using ML-KEM key encapsulation. The plaintext is encrypted with a symmetric key derived from the KEM shared secret.

POST /encrypt Encrypt data with public key

Request Body

Parameter	Type	Required	Description
algorithm	string	Yes	ML-KEM-512, ML-KEM-768, or ML-KEM-1024
public_key	string	Yes	Base64-encoded public key from keygen
plaintext	string	Yes	Base64-encoded data to encrypt (max 1MB)

Example

Node.js

const crypto = require('crypto');

// Your sensitive data
const plaintext = JSON.stringify({
  ssn: '123-45-6789',
  accountNumber: '9876543210'
});

// Base64 encode the plaintext
const encodedPlaintext = Buffer.from(plaintext).toString('base64');

const response = await fetch('https://api.quantumvault.allsecurex.com/encrypt', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': process.env.QUANTUMVAULT_API_KEY
  },
  body: JSON.stringify({
    algorithm: 'ML-KEM-768',
    public_key: recipientPublicKey,
    plaintext: encodedPlaintext
  })
});

const result = await response.json();
console.log('Encrypted:', result.encrypted_data);

Digital Signatures

Create quantum-safe digital signatures using ML-DSA or SLH-DSA algorithms. Signatures provide authentication, integrity, and non-repudiation.

POST /sign Sign a message

Request Body

Parameter	Type	Required	Description
algorithm	string	Yes	ML-DSA-44, ML-DSA-65, ML-DSA-87, or SLH-DSA variants
signing_key	string	Yes	Base64-encoded signing (secret) key
message	string	Yes	Base64-encoded message to sign

Example

Python

import requests
import base64

API_KEY = "qv_your_api_key"
BASE_URL = "https://api.quantumvault.allsecurex.com"

# Sign a message
message = base64.b64encode(b"Document content to sign").decode()
sign_response = requests.post(
    f"{BASE_URL}/sign",
    headers={"X-API-Key": API_KEY},
    json={
        "algorithm": "ML-DSA-65",
        "signing_key": signing_private_key,
        "message": message
    }
)
signature = sign_response.json()["signature"]

# Verify the signature
verify_response = requests.post(
    f"{BASE_URL}/verify",
    headers={"X-API-Key": API_KEY},
    json={
        "algorithm": "ML-DSA-65",
        "verifying_key": signing_public_key,
        "message": message,
        "signature": signature
    }
)
is_valid = verify_response.json()["valid"]  # True if signature is valid

Error Handling

QuantumVault uses standard HTTP status codes and returns detailed error information to help you diagnose and handle issues.

Error Response Format

                            Error Response
                        

{
  "error": {
    "code": "INVALID_ALGORITHM",
    "message": "Algorithm 'AES-256' is not supported for this operation."
  }
}
                        

Error Codes

HTTP Status	Error Code	Description
400	INVALID_REQUEST	Malformed JSON or missing required fields
400	INVALID_ALGORITHM	Unsupported or misspelled algorithm
400	INVALID_KEY_FORMAT	Key is not valid base64 or wrong format
400	DATA_TOO_LARGE	Plaintext exceeds 1MB limit
401	MISSING_API_KEY	X-API-Key header not provided
401	INVALID_API_KEY	API key invalid, expired, or revoked
403	ALGORITHM_NOT_ALLOWED	Algorithm not available in your tier
403	QUOTA_EXCEEDED	Monthly operation limit reached
404	KEY_NOT_FOUND	Requested key ID does not exist
429	RATE_LIMIT_EXCEEDED	Too many requests, slow down
500	INTERNAL_ERROR	Unexpected server error

Financial Services

Quantum-Safe Cryptography for Banks, Investment Firms & Insurance

Financial institutions handle some of the most sensitive data in the world. With quantum computers threatening to break current encryption, the financial sector faces unique challenges in protecting customer assets, transaction integrity, and regulatory compliance.

💳

Transaction Authentication

Sign wire transfers, ACH batches, and SWIFT messages with ML-DSA to prevent tampering.

🔐

Customer Data Encryption

Encrypt PII, account numbers, and financial records with ML-KEM for quantum-safe storage.

🏦

Inter-Bank Communication

Secure bank-to-bank data exchange with quantum-resistant encryption and authentication.

📜

Digital Certificates

Issue quantum-safe certificates for secure communication and code signing.

Healthcare

Protecting Patient Data with Quantum-Resistant Cryptography

Healthcare organizations manage protected health information (PHI) that must remain confidential for decades. Patient records, genomic data, and medical research require the strongest possible encryption to meet HIPAA requirements and protect patient privacy.

HIPAA Compliance

HIPAA requires covered entities to implement "reasonable and appropriate" safeguards. With quantum computers on the horizon, quantum-resistant encryption is becoming the new standard for "reasonable" protection of PHI with long retention periods.

Defense & Government

CNSA 2.0 Compliant Cryptography for National Security

Government and defense organizations have the strictest security requirements. The NSA's CNSA 2.0 (Commercial National Security Algorithm Suite) mandates quantum-resistant cryptography for all National Security Systems by 2030.

Use Case	Required Algorithm	QuantumVault Support
Software/Firmware Signing	ML-DSA-87	Full support
Key Establishment	ML-KEM-1024	Full support
Symmetric Encryption	AES-256	Used internally
Hashing	SHA-384/SHA-512	Used internally

NIST FIPS Standards

QuantumVault implements algorithms from NIST's Post-Quantum Cryptography Standardization process, finalized in August 2024. These are the first quantum-resistant cryptographic standards approved for federal use.

FIPS 203

Module-Lattice-Based Key-Encapsulation Mechanism Standard

ML-KEM (formerly CRYSTALS-Kyber)

Published: August 13, 2024

Purpose: Key encapsulation for encryption

FIPS 204

Module-Lattice-Based Digital Signature Standard

ML-DSA (formerly CRYSTALS-Dilithium)

Published: August 13, 2024

Purpose: Digital signatures

FIPS 205

Stateless Hash-Based Digital Signature Standard

SLH-DSA (formerly SPHINCS+)

Published: August 13, 2024

Purpose: Hash-based signatures for maximum long-term security

Compliance Frameworks

QuantumVault is designed to help organizations meet various regulatory and industry compliance requirements with quantum-safe cryptography.

SOC 2 Type II

Compliant

Service organization controls for security, availability, and confidentiality

PCI-DSS 4.0

Compatible

Payment Card Industry Data Security Standard

HIPAA

Compatible

Health Insurance Portability and Accountability Act

GDPR

Compatible

General Data Protection Regulation (EU)

Compliance Documentation

Enterprise customers can request detailed compliance documentation, audit reports, and penetration test results. Contact [email protected] for more information.

Post-Quantum Cryptography

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks from quantum computers. Unlike classical computers, quantum computers can efficiently solve certain mathematical problems that form the basis of current encryption.

The Quantum Threat

Vulnerable Algorithms

RSA - Broken by Shor's algorithm
ECDSA/ECDH - Broken by Shor's algorithm
DSA - Broken by Shor's algorithm
Diffie-Hellman - Broken by Shor's algorithm

Quantum-Safe (QuantumVault)

ML-KEM - Lattice-based encryption
ML-DSA - Lattice-based signatures
SLH-DSA - Hash-based signatures
AES-256 - Symmetric (Grover resistant)

Mathematical Foundations

QuantumVault's algorithms are built on mathematical problems believed to be hard for both classical and quantum computers:

Learning With Errors (LWE)

The foundation of ML-KEM and ML-DSA. Finding a secret vector from noisy linear equations is computationally infeasible.

ML-KEM-512 ML-KEM-768 ML-KEM-1024 ML-DSA-44 ML-DSA-65 ML-DSA-87

Hash Function Security

SLH-DSA relies only on the security of cryptographic hash functions (SHA3/SHAKE), which remain secure against quantum attacks.

SLH-DSA-SHAKE-128s SLH-DSA-SHAKE-128f SLH-DSA-SHAKE-256s SLH-DSA-SHAKE-256f

NIST Standardization Timeline

NIST finalized FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024. Organizations are encouraged to begin migration immediately. The NSA's CNSA 2.0 mandates quantum-resistant cryptography for National Security Systems by 2030.

Security Levels

NIST defines security levels based on the computational effort required to break an algorithm. QuantumVault supports all levels, allowing you to choose the appropriate security for your use case.

LEVEL 1 AES-128 equivalent

Level 1

Provides security roughly equivalent to AES-128. Suitable for data with shorter sensitivity periods.

Algorithms

ML-KEM-512 ML-DSA-44 SLH-DSA-SHAKE-128s/f

Use Cases

Development/testing IoT devices Edge computing

LEVEL 3 AES-192 equivalent

Level 3 (Recommended)

The recommended default for most applications. Provides strong security with excellent performance.

Algorithms

ML-KEM-768 ML-DSA-65

Use Cases

Production systems Financial data Healthcare records Enterprise applications

LEVEL 5 AES-256 equivalent

Level 5

Maximum security level. Required for CNSA 2.0 compliance and classified information.

Algorithms

ML-KEM-1024 ML-DSA-87 SLH-DSA-SHAKE-256s/f

Use Cases

Government/defense Top secret data Long-term archives CNSA 2.0 compliance

Choosing a Security Level

Higher security levels mean larger key sizes and slightly slower operations. For most applications, Level 3 (ML-KEM-768, ML-DSA-65) provides the optimal balance of security and performance. Use Level 5 only when mandated by compliance requirements or for data requiring protection beyond 2050.

SLH-DSA (Hash-Based Signatures)

NIST FIPS 205 | Formerly SPHINCS+

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) provides maximum long-term security by relying solely on the security of hash functions. Unlike lattice-based schemes, its security is well-understood and conservative.

When to Use SLH-DSA

SLH-DSA is ideal for scenarios requiring maximum long-term security where signature size and speed are less critical: root CA certificates, firmware signing, archival systems, and applications with 50+ year data retention requirements.

Parameter Sets

Algorithm	Security	Signature Size	Speed	Best For
`SLH-DSA-SHAKE-128s`	Level 1	7,856 bytes	Slow	Small signatures
`SLH-DSA-SHAKE-128f`	Level 1	17,088 bytes	Fast	Fast signing
`SLH-DSA-SHAKE-256s`	Level 5	29,792 bytes	Slow	Maximum security, small
`SLH-DSA-SHAKE-256f`	Level 5	49,856 bytes	Fast	Maximum security, fast

SLH-DSA vs ML-DSA

Aspect	ML-DSA	SLH-DSA
Security Basis	Lattice problems (LWE)	Hash functions only
Signature Size	2.4-4.6 KB	7.8-49.8 KB
Signing Speed	Very fast	Slower
Security Confidence	High (newer research)	Very high (conservative)
Best Use Case	General purpose	Long-term archival, root CAs

Decryption

Decrypt data that was encrypted using ML-KEM. Requires the corresponding secret key.

Endpoint

POST /v1/decrypt

Request Body

Parameter	Type	Required	Description
`algorithm`	string	Yes	Must match encryption algorithm
`secret_key`	string	Yes	Base64-encoded secret key
`encrypted_data`	string	Yes	Output from /encrypt endpoint

Example

Python

import requests
import base64

response = requests.post(
    'https://api.quantumvault.allsecurex.com/decrypt',
    headers={'X-API-Key': api_key},
    json={
        'algorithm': 'ML-KEM-768',
        'secret_key': secret_key,
        'encrypted_data': encrypted_data
    }
)

result = response.json()
plaintext = base64.b64decode(result['plaintext']).decode('utf-8')
print(f"Decrypted: {plaintext}")

Response

200 OK

{
  "plaintext": "eyJzc24iOiIxMjMtNDUtNjc4OSIsImFjY291bnROdW1iZXIiOiI5ODc2NTQzMjEwIn0="
}

Note: The plaintext is base64 encoded. Decode it to get the original data.

Signature Verification

Verify digital signatures to confirm authenticity and integrity of signed data.

Endpoint

POST /v1/verify

Request Body

Parameter	Type	Required	Description
`algorithm`	string	Yes	Must match signing algorithm
`verifying_key`	string	Yes	Base64-encoded public key
`message`	string	Yes	Base64-encoded original message
`signature`	string	Yes	Signature from /sign endpoint

Example

TypeScript

async function verifySignature(
  message: string,
  signature: string,
  publicKey: string
): Promise<boolean> {
  const response = await fetch('https://api.quantumvault.allsecurex.com/verify', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-API-Key': process.env.QUANTUMVAULT_API_KEY!
    },
    body: JSON.stringify({
      algorithm: 'ML-DSA-65',
      verifying_key: publicKey,
      message: message,
      signature: signature
    })
  });

  const result = await response.json();
  return result.valid;
}

// Usage
const isValid = await verifySignature(messageB64, signature, signerPublicKey);
if (isValid) {
  console.log('Signature verified - document is authentic');
} else {
  console.error('SIGNATURE INVALID - document may be tampered');
}

Response

200 OK

{
  "valid": true
}

Always Verify

Always verify signatures before trusting signed data. A valid: false response means the signature doesn't match - the message may have been altered or the signature was created with a different key.

Key Management

QuantumVault provides secure cloud-based key storage and management. All keys are encrypted at rest using AES-256 and are only accessible via your API key.

List Keys

GET /keys

cURL

curl -X GET https://api.quantumvault.allsecurex.com/keys \
  -H "X-API-Key: qv_your_api_key"

Get Key Details

GET /keys/:id

Delete Key

DELETE /keys/:id

Key Deletion is Permanent

Deleting a key is irreversible. Any data encrypted with the key will become permanently unrecoverable. Consider implementing key rotation instead of deletion.

Java SDK

io.quantumvault:quantumvault-crypto (JCA Provider)

JCA Provider for post-quantum cryptography. Integrates with standard Java Security API - use KeyPairGenerator, Cipher, and Signature as usual.

Installation

Maven (pom.xml)

<dependency>
    <groupId>io.quantumvault</groupId>
    <artifactId>quantumvault-crypto</artifactId>
    <version>1.0.0</version>
</dependency>

Quick Start

Java

import java.security.*;
import io.quantumvault.crypto.QuantumVaultProvider;

public class Example {
    public static void main(String[] args) throws Exception {
        // Register the JCA provider
        Security.addProvider(new QuantumVaultProvider());

        // Generate ML-KEM key pair (FIPS 203)
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("ML-KEM-768", "QuantumVault");
        KeyPair kemKeyPair = kpg.generateKeyPair();
        System.out.println("Generated ML-KEM-768 key pair!");

        // Generate ML-DSA key pair (FIPS 204)
        KeyPairGenerator sigKpg = KeyPairGenerator.getInstance("ML-DSA-65", "QuantumVault");
        KeyPair sigKeyPair = sigKpg.generateKeyPair();

        // Sign message
        Signature sig = Signature.getInstance("ML-DSA-65", "QuantumVault");
        sig.initSign(sigKeyPair.getPrivate());
        sig.update("Hello, Quantum World!".getBytes());
        byte[] signature = sig.sign();

        // Verify signature
        sig.initVerify(sigKeyPair.getPublic());
        sig.update("Hello, Quantum World!".getBytes());
        boolean valid = sig.verify(signature);
        System.out.println("Signature valid: " + valid);
    }
}

REST API

Direct HTTP API for any language or platform. Use this when an SDK isn't available for your language, or when you need fine-grained control over cryptographic operations.

Base URL

API Endpoint

https://api.quantumvault.allsecurex.com

Authentication

Request Headers

Content-Type: application/json
X-API-Key: qv_your_api_key_here

Endpoints Summary

Method	Endpoint	Description
POST	`/keygen`	Generate new key pair
POST	`/encrypt`	Encrypt data with public key
POST	`/decrypt`	Decrypt data with secret key
POST	`/sign`	Sign message with signing key
POST	`/verify`	Verify digital signature
GET	`/keys`	List stored cryptographic keys
GET	`/keys/:id`	Get key details
DELETE	`/keys/:id`	Delete stored key
GET	`/usage`	Get usage summary
GET	`/health`	Health check (no auth)

Enterprise Software

Quantum-Ready Applications for Modern Enterprises

Modern enterprises face increasing cyber threats while managing sensitive customer data, intellectual property, and business secrets. QuantumVault provides the cryptographic foundation for building quantum-ready applications.

Integration Patterns

SaaS Applications

Encrypt tenant data with unique keys per customer. Use ML-KEM-768 for data at rest and ML-DSA for webhook authentication.

// Per-tenant encryption
const tenantKey = await qv.keygen({
  algorithm: 'ML-KEM-768',
  name: `tenant-${tenantId}-key`
});
const encrypted = await qv.encrypt({
  publicKey: tenantKey.public_key,
  plaintext: customerData
});

API Security

Sign API requests and responses for integrity verification. Detect tampering and replay attacks.

// Request signing
const signature = await qv.sign({
  algorithm: 'ML-DSA-65',
  signingKey: apiPrivateKey,
  message: JSON.stringify(requestBody)
});
headers['X-Signature'] = signature;

Security Best Practices

Follow these guidelines to maximize the security of your QuantumVault implementation.

API Key Security

Never expose API keys in client-side code, public repositories, or logs
Store API keys in environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault)
Use different API keys for development, staging, and production
Rotate API keys every 90 days
Revoke compromised keys immediately

Key Management

Store secret keys in hardware security modules (HSM) or cloud secret managers
Never log or transmit secret keys in plaintext
Implement key rotation policies (recommended: 1 year for encryption keys)
Use separate keys for different purposes (encryption vs signing)
Maintain secure backups of keys with proper access controls

Algorithm Selection

Use ML-KEM-768 (Level 3) for general encryption needs
Use ML-KEM-1024 (Level 5) for CNSA 2.0 compliance or long-term security
Use ML-DSA-65 for general digital signatures
Use SLH-DSA for root CA certificates and long-term archives
Match security levels consistently (don't mix Level 1 encryption with Level 5 signatures)

Key Management Best Practices

Proper key management is critical for maintaining cryptographic security.

Key Lifecycle

1

Generation

Create keys with appropriate algorithm and security level

2

Storage

Secure storage with encryption at rest

3

Rotation

Regular rotation per policy

4

Retirement

Secure deletion when no longer needed

Rotation Recommendations

Key Type	Rotation Interval	Notes
API Keys	90 days	Rotate more frequently if exposed
Encryption Keys	1 year	Keep old versions for decryption
Signing Keys	2 years	Longer for certificate chains
Root CA Keys	5+ years	Use SLH-DSA for maximum longevity

Integration Patterns

Common patterns for integrating QuantumVault into your applications.

Best Practices for Integration

Store Keys Securely

Keys are automatically stored in QuantumVault. For sensitive applications, retrieve keys only when needed and avoid keeping secret keys in memory longer than necessary.

Use Environment Variables

Never hardcode API keys in source code. Use environment variables or secret managers like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault.

Handle Errors Gracefully

Implement proper error handling for network failures, rate limits, and API errors. Use exponential backoff for retries.

Monitor Usage

Regularly check your usage statistics via the /usage endpoint or dashboard to ensure you stay within your tier limits.

Enterprise Features

Production-ready post-quantum cryptography for enterprise deployments. QuantumVault Enterprise provides advanced features for organizations requiring seamless migration to quantum-safe cryptography without disrupting existing systems.

Crypto Plugins

Drop-in quantum-safe upgrades for existing applications with zero code changes

Hybrid Encryption

Classical + Post-Quantum cryptography for defense-in-depth during transition

Key Rotation

Automated key rotation policies with compliance audit trails

Compliance Reporting

CNSA 2.0, FIPS 140-3, and industry-specific compliance reports

Why Enterprise?

Zero Downtime Migration - Migrate to quantum-safe crypto without service interruption

Backward Compatibility - Hybrid modes ensure compatibility with existing systems

Compliance Ready - Meet CNSA 2.0, NIST, and industry compliance requirements

Enterprise Support - 24/7 support with dedicated account management

Crypto Plugins

Drop-in quantum-safe upgrades for existing applications. Zero code changes required.

Zero Code Changes Required

Crypto Plugins intercept cryptographic operations at the library level, automatically upgrading classical algorithms to quantum-safe alternatives without modifying your application code.

Supported Platforms

Python

quantumvault-cryptography Available

Node.js

@allsecurex-quantum/crypto-shim Available

Java JCA

io.quantumvault:jca-provider Available

Go

github.com/quantumvault/crypto Available

Algorithm Mappings

Classical Algorithm	Hybrid Upgrade	PQ-Only
`RSA-2048`	`RSA-2048 + ML-KEM-768`	`ML-KEM-768`
`ECDH P-256`	`ECDH-P256 + ML-KEM-768`	`ML-KEM-768`
`ECDSA P-256`	`ECDSA-P256 + ML-DSA-44`	`ML-DSA-44`
`ECDSA P-384`	`ECDSA-P384 + ML-DSA-65`	`ML-DSA-65`
`Ed25519`	`Ed25519 + ML-DSA-44`	`ML-DSA-44`
`X25519`	`X25519 + ML-KEM-768`	`ML-KEM-768`

Hybrid Encryption

Classical + Post-Quantum cryptography for defense-in-depth during the quantum transition period.

CNSA 2.0 Compliant

Hybrid encryption meets NSA's Commercial National Security Algorithm Suite 2.0 requirements for the quantum transition period, combining approved classical and post-quantum algorithms.

What is Hybrid Encryption?

Hybrid encryption combines classical cryptographic algorithms (RSA, ECDH, ECDSA) with post-quantum algorithms (ML-KEM, ML-DSA) to provide security against both classical and quantum attacks. This "belt and suspenders" approach ensures that even if one algorithm is broken, the other continues to provide protection.

Key Types

Key Encapsulation

For encrypting data or establishing shared secrets.

• ECDH-P384 + ML-KEM-1024 (CNSA 2.0)
• ECDH-P256 + ML-KEM-768
• X25519 + ML-KEM-768

Digital Signatures

For signing and verifying data integrity.

• ECDSA-P384 + ML-DSA-87 (CNSA 2.0)
• ECDSA-P256 + ML-DSA-65
• Ed25519 + ML-DSA-44

CNSA 2.0 Compliance

For CNSA 2.0 compliance, use: ECDH-P384 + ML-KEM-1024 for encryption, ECDSA-P384 + ML-DSA-87 for signatures. These combinations meet NSA requirements for protecting classified information through 2030+.

Automated Key Rotation

Enterprise-grade key lifecycle management with automated rotation policies.

Create Rotation Policy

cURL

curl -X POST https://api.quantumvault.allsecurex.com/keys/rotation-policies \
  -H "X-API-Key: qv_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Key Rotation",
    "rotation_interval_days": 90,
    "algorithm": "ML-KEM-1024",
    "auto_rotate": true,
    "notify_before_days": 7,
    "notification_emails": ["[email protected]"],
    "retention_versions": 3
  }'

Rotation Best Practices

90-day rotation - Rotate encryption keys every 90 days for general use

30-day for high-security - More frequent rotation for sensitive data

Keep 3 versions - Retain previous versions for decrypting old data

Automate notifications - Alert security team before rotation occurs

Compliance Reporting

Generate comprehensive compliance reports demonstrating your organization's quantum-readiness and adherence to cryptographic standards.

CNSA 2.0

NSA quantum-resistant requirements

FIPS 140-3

Cryptographic module validation

FIPS 203/204/205

PQC algorithm standards

SOC 2 Type II

Security controls audit

Generate Report

cURL

curl -X POST https://api.quantumvault.allsecurex.com/compliance/reports \
  -H "X-API-Key: qv_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "report_type": "cnsa_2_0",
    "period_start": "2026-01-01",
    "period_end": "2026-01-31",
    "include_sections": [
      "algorithm_usage",
      "key_rotation_compliance",
      "quantum_risk_assessment",
      "remediation_recommendations"
    ]
  }'

Migration Guide

Step-by-step guide to quantum-safe migration. Migrating to post-quantum cryptography doesn't have to be disruptive.

Migration Phases

1

Discovery 1-2 weeks

Audit existing cryptographic usage with monitor mode

2

Planning 1-2 weeks

Identify critical systems and prioritize migration order

3

Pilot 2-4 weeks

Deploy hybrid mode on non-critical systems first

4

Rollout 4-8 weeks

Gradual rollout to production with monitoring

5

Optimization Ongoing

Fine-tune settings and move to pq_only where appropriate

Zero-Code Migration

Migrate to quantum-safe crypto without changing application code.

Fastest Path to Quantum Safety

Using crypto plugins, you can make your entire application quantum-safe by adding just 3-5 lines of code at the application entry point. No changes to business logic required.

Step-by-Step Guide

Step 1: Get Your API Key

Sign up for QuantumVault and obtain your API key from the dashboard.

Step 2: Install the Plugin

Install for your platform

# Python
pip install quantumvault-cryptography

# Node.js
npm install @allsecurex-quantum/crypto-shim

# Java (Maven)
<dependency>
  <groupId>io.quantumvault</groupId>
  <artifactId>jca-provider</artifactId>
  <version>1.0.0</version>
</dependency>

Step 3: Initialize at Startup

Python

# Add at the VERY TOP of your main file
import quantumvault_cryptography
quantumvault_cryptography.install(
    api_key=os.environ['QUANTUMVAULT_API_KEY'],
    mode='hybrid'
)

# That's it! All crypto operations are now quantum-safe.
# Your existing code works unchanged.

Step 4: Monitor in Dashboard

View the Crypto Plugins dashboard to see upgrade statistics, algorithm usage, and quantum risk reduction metrics in real-time.

Gradual Rollout Strategy

Safely deploy quantum-safe crypto across your infrastructure with percentage-based rollouts.

Rollout Configuration

Python

import quantumvault_cryptography

# Start with 10% of operations being upgraded
quantumvault_cryptography.install(
    api_key=os.environ['QUANTUMVAULT_API_KEY'],
    mode='hybrid',
    rollout={
        'percentage': 10,           # Only 10% of operations upgraded
        'sticky_sessions': True,    # Same user gets consistent behavior
        'exclude_paths': [          # Exclude critical paths initially
            '/api/payments/*',
            '/api/auth/*'
        ]
    }
)

# After validation, increase to 50%
# quantumvault_cryptography.set_rollout_percentage(50)

# Finally, 100% rollout
# quantumvault_cryptography.set_rollout_percentage(100)

Rollout Checklist

Deploy monitor mode first to understand current crypto usage

Start with 5-10% rollout on non-critical systems

Monitor error rates and latency in dashboard

Gradually increase percentage over 2-4 weeks

Keep classical fallback enabled during rollout

Testing Strategies

Validate quantum-safe migration before production deployment.

Unit Testing

Test individual crypto operations with quantum-safe algorithms

# Test that encryption/decryption works with hybrid mode
def test_hybrid_encryption():
    quantumvault_cryptography.install(api_key=TEST_KEY, mode='hybrid')

    plaintext = b"test message"
    ciphertext = encrypt(plaintext)
    decrypted = decrypt(ciphertext)

    assert decrypted == plaintext
    assert quantumvault_cryptography.status()['upgraded_operations'] > 0

Integration Testing

Test end-to-end flows with quantum-safe crypto

# Test API endpoints work with hybrid crypto
def test_api_with_hybrid_crypto():
    # Enable hybrid mode for tests
    response = client.post('/api/secure-data', json={'data': 'sensitive'})
    assert response.status_code == 200

    # Verify data can be retrieved
    response = client.get('/api/secure-data/123')
    assert response.json()['data'] == 'sensitive'

CI/CD Integration

Add quantum-safe tests to your CI/CD pipeline. Run tests in both classical and hybrid modes to ensure compatibility throughout the migration process.